mm: avoid data corruption on CoW fault into PFN-mapped VMA

author Kirill A. Shutemov <kirill@shutemov.name>

Fri, 6 Mar 2020 06:28:32 +0000 (22:28 -0800)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 1 Oct 2020 11:14:36 +0000 (13:14 +0200)
author Kirill A. Shutemov <kirill@shutemov.name>
Fri, 6 Mar 2020 06:28:32 +0000 (22:28 -0800)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 1 Oct 2020 11:14:36 +0000 (13:14 +0200)
diff --git a/mm/memory.c b/mm/memory.c

index fcad8a0..eeae63b 100644 (file)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2353,7 +2353,7 @@ static inline bool cow_user_page(struct page *dst, struct page *src,
         bool ret;
         void *kaddr;
         void __user *uaddr;
-       bool force_mkyoung;
+       bool locked = false;
         struct vm_area_struct *vma = vmf->vma;
         struct mm_struct *mm = vma->vm_mm;
         unsigned long addr = vmf->address;
@@ -2378,11 +2378,11 @@ static inline bool cow_user_page(struct page *dst, struct page *src,
          * On architectures with software "accessed" bits, we would
          * take a double page fault, so mark it accessed here.
          */
-       force_mkyoung = arch_faults_on_old_pte() && !pte_young(vmf->orig_pte);
-       if (force_mkyoung) {
+       if (arch_faults_on_old_pte() && !pte_young(vmf->orig_pte)) {
                 pte_t entry;
  
                 vmf->pte = pte_offset_map_lock(mm, vmf->pmd, addr, &vmf->ptl);
+               locked = true;
                 if (!likely(pte_same(*vmf->pte, vmf->orig_pte))) {
                         /*
                          * Other thread has already handled the fault
@@ -2406,18 +2406,37 @@ static inline bool cow_user_page(struct page *dst, struct page *src,
          * zeroes.
          */
         if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE)) {
+               if (locked)
+                       goto warn;
+
+               /* Re-validate under PTL if the page is still mapped */
+               vmf->pte = pte_offset_map_lock(mm, vmf->pmd, addr, &vmf->ptl);
+               locked = true;
+               if (!likely(pte_same(*vmf->pte, vmf->orig_pte))) {
+                       /* The PTE changed under us. Retry page fault. */
+                       ret = false;
+                       goto pte_unlock;
+               }
+
                 /*
-                * Give a warn in case there can be some obscure
-                * use-case
+                * The same page can be mapped back since last copy attampt.
+                * Try to copy again under PTL.
                  */
-               WARN_ON_ONCE(1);
-               clear_page(kaddr);
+               if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE)) {
+                       /*
+                        * Give a warn in case there can be some obscure
+                        * use-case
+                        */
+warn:
+                       WARN_ON_ONCE(1);
+                       clear_page(kaddr);
+               }
         }
  
         ret = true;
  
  pte_unlock:
-       if (force_mkyoung)
+       if (locked)
                 pte_unmap_unlock(vmf->pte, vmf->ptl);
         kunmap_atomic(kaddr);
         flush_dcache_page(dst);
author	Kirill A. Shutemov <kirill@shutemov.name>
	Fri, 6 Mar 2020 06:28:32 +0000 (22:28 -0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 1 Oct 2020 11:14:36 +0000 (13:14 +0200)